REDHAT-BUG-578572
First published: Wed Mar 31 2010(Updated: )
Apache CouchDB upstream has released latest, v0.11.0 version, addressing timing attack flaw(s). More from Bugtraq post: [1] <a href="http://seclists.org/bugtraq/2010/Mar/254">http://seclists.org/bugtraq/2010/Mar/254</a> "Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords." References: [2] <a href="http://wiki.apache.org/couchdb/Breaking_changes">http://wiki.apache.org/couchdb/Breaking_changes</a> [3] <a href="http://codahale.com/a-lesson-in-timing-attacks/">http://codahale.com/a-lesson-in-timing-attacks/</a> [4] <a href="http://couchdb.apache.org/">http://couchdb.apache.org/</a> [5] <a href="http://couchdb.apache.org/downloads.html">http://couchdb.apache.org/downloads.html</a> Credit: Jason Davies of the Apache CouchDB development team CVE Request for Apache CouchDB v0.11.0: [6] <a href="http://www.openwall.com/lists/oss-security/2010/03/31/5">http://www.openwall.com/lists/oss-security/2010/03/31/5</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache CouchDB | <0.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/bugtraq/2010/Mar/254
- http://wiki.apache.org/couchdb/Breaking_changes
- http://codahale.com/a-lesson-in-timing-attacks/
- http://couchdb.apache.org/
- http://couchdb.apache.org/downloads.html
- http://www.openwall.com/lists/oss-security/2010/03/31/5
- http://seclists.org/fulldisclosure/2010/Mar/554
- http://admin.fedoraproject.org/updates/couchdb-0.10.2-1.fc11
- http://admin.fedoraproject.org/updates/couchdb-0.10.2-1.fc12
- http://admin.fedoraproject.org/updates/couchdb-0.10.2-1.el5
- http://admin.fedoraproject.org/updates/couchdb-0.10.2-1.fc13
- https://bugzilla.redhat.com/show_bug.cgi?id=578572
Frequently Asked Questions
What is the severity of REDHAT-BUG-578572?
The severity of REDHAT-BUG-578572 is considered high due to the vulnerability to timing attacks in Apache CouchDB.
How do I fix REDHAT-BUG-578572?
To fix REDHAT-BUG-578572, upgrade Apache CouchDB to version 0.11.0 or later.
What versions of Apache CouchDB are affected by REDHAT-BUG-578572?
Apache CouchDB versions prior to 0.11.0 are affected by REDHAT-BUG-578572.
Can REDHAT-BUG-578572 lead to data breaches?
Yes, REDHAT-BUG-578572 can potentially lead to data breaches through timing attack exploits.
Is there a workaround for REDHAT-BUG-578572?
There are no known workarounds for REDHAT-BUG-578572; updating to the fixed version is necessary.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0009
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache couchdb